I attempted to upgrade a JunOS SPACE instance from 15.2R1 to 15.2R2. It would sit at “upgrade process has not started” and 0%. If I changed the URI to the base, I’d be back in the SPACE GUI as if nothing had happened and I had never entered maintenance mode.

This was caused by a failed upgrade months earlier which left a msg.<date> file behind in /var/jmp_upgrade/master/msg . Deleting that file allowed me to successfully upgrade the unit.

After a successful upgrade, the msg/ directory will be empty in both the master and slave directories.

In the process, I learned about a few more files that SPACE looks for. If these exist from a failed upgrade, they can keep a new upgrade from starting. Delete these if they exist:

/var/log/activeUpgradeStatus.log

/var/jmp_upgrade/slave/log/upgradeMetaData.txt

You can find a clue as to why your upgrade is not proceeding in these two directories:

Concerns about online security are widespread. No-one wants their logins and finances compromised. How to act on those concerns can be confusing.

How security pros and general users go about securing their devices is quite different. Users often rely on software such as AntiVirus. Security pros likely also use AV, but it’s not their first line of defense.

I’ll share what I consider to be good practice, and what has kept my own machines free from malware for well over two decades now.

Patch religiously, fanatically

Use a password safe and unique passwords

Don’t pirate anything

Be a little paranoid about attachments and links in email

And sure, for defense in depth, run some AV. Chances are it’ll never find anything, though.

If you are only going to do a little, then patch and start using a password safe. That will give you the biggest bang for your effort.

Let me go into those in some more detail.

Patch religiously, fanatically

This is all about what we security geeks call “attack surface”. The fewer vulnerabilities your system has, the less likely it is to be compromised. The amount of machines that are compromised through known, long-discovered and long-patched vulnerabilities in, say, Adobe Flash, is truly staggering.

So patch religiously. Set everything you can to auto-update. That includes the OS itself, the browser, Java, Flash, Adobe Reader, and really any piece of software that can be updated.

A corollary to this is to reduce the amount of software you need to be on top of.

Not running any Java code? Uninstall Java.

Using a browser that contains its own version of Flash, such as Google Chrome or MS Edge or MS IE 11? Ditch the standalone Flash install.

The main vectors for compromise for a few years running have been Adobe Flash, Adobe Reader, and Oracle Java. Word and Excel get a (dis)honorable mention.

Use a password safe and unique passwords

Passwords are still with us, they’ll continue to be with us for a long time, and they are a terrible way to secure access to important stuff.

So, at the very least, make things easy on yourself and hard on attackers: Use a password safe. There are a number of options available, but if you don’t have very specific criteria, you can’t go far wrong with LastPass. It combines convenience with security.

Convenience is important: If using unique passwords becomes a chore, you likely won’t do it. LastPass will fill in passwords, log you in automatically, generate strong passwords for you and, if you want it to, even change passwords periodically for you.

For your “master password” for LastPass, one good idea is to choose a number of unrelated nouns. An example is “Correct Horse Battery Staple”. Just, for the love of security, do not use that actual example, because it’s a published example. Passwords only work if they are secret.

And then you can start assigning unique, strong passwords to all of your critical accounts. Eventually, all of your accounts. LastPass can help with that chore by running a check on your password database and telling you where you have duplicates and where you have weak passwords.

If you are going to run AntiVirus, there is a copy of LastPass bundled with Webroot, so that’s an option to cut down on the number of software packages you subscribe to.

Don’t pirate anything

What’s this, blogger Dad Mode? The thing about pirated content is that it often comes with something extra, that extra being malware. Once you invite malware into your system, all bets are off. The easiest way to avoid that vector of compromise is to just buy everything outright.

Adult video sites are also notorious for attempts at “drive-by” installs of malware, so browse with care.

Be a little paranoid about attachments and links in email

This is a tough one. Even security pros fall for so-called “spear phishing” attempts, emails with attachments that look legitimate and look like they come from a trusted source, but are actually carriers for malware.

That said, most of those kind of emails are pretty crude. If you’re being asked to “verify your account” or “enter your password here”, that won’t be a legitimate email. Unless you know you just initiated a password reset yourself and you expect that email. And that’s where it gets a little tough to distinguish between the two. So, be cautious. Check the sender address. When in doubt, manually browse to the site in question, don’t click on the link in the email.

For attachments, if it’s not from a trusted source and you don’t expect it, delete it. No, UPS doesn’t send you word documents.🙂

Run some AV software

This is really dead-last. AntiVirus software will not detect a lot of malware, and this is meant only to give you one last chance to stop something if all the above defenses fail. If you are not patching religiously and using strong passwords, start there, not here.

I do run AV, as a last-ditch defense if everything else fails, and in the past two decades, my AV hasn’t picked up anything but emails I didn’t act on. I could arguably run without AV and be fine. But then I’d always be wondering whether something slipped through my defenses, after all, so out of an abundance of caution, I pay a subscription for “Medicine”.

Traditional signature-based AntiVirus software can catch maybe 18% of what’s out there, on a good day. So that’s pretty useless. Happily, the industry is evolving.

The best option for a home user – and I say this because as far as I know, it’s the only option for a home user that has modern detection mechanisms – is Webroot, as of November 2016. It happens to come with a copy of Lastpass, reskinned as Webroot Password Manager, so that’s a big plus. Webroot does not do signature-based detection, instead it’s using behavior analysis.

There are other “Next Generation AV” products out there, but nothing else that fits the budget and needs of a home user as far as I am aware.

If you want to add a little bit more protection, then Malwarebytes Anti-Exploit Free is a good choice to protect browsers and Adobe Reader. To get it free, just download the trial and wait for the trial period to expire, then switch it to free mode.

And if you absolutely want more “medicine” and don’t mind paying for it, the full Malwarebytes package is a good choice. I’m running it, but honestly, I wouldn’t install it on my mom’s PC. That’s arguably overkill when patching, secure password use, Webroot, and Anti-Exploit Free are already in place.

I wanted to convert an MBR/BIOS boot drive to GPT/UEFI, but without needing to decrypt and then re-encrypt Bitlocker. Mainly because I am lazy. This worked, but I’ll warn that the advice to decrypt completely first is without any doubt the safest way to go.

Print out your Bitlocker Recovery Key from Control Panel, Bitlocker. You will need this key.

Take a backup. No seriously. Use Veeam Endpoint if you don’t have anything else installed to take backups. Stuff goes wrong with computers, and you don’t want to lose your system installation and data.

Suspend Bitlocker protection on your system drive.

Reboot from your Windows installation / recovery DVD/USB, verify that you can get to your c:\windows directory. This might be d:\windows if you have a recovery partition at the end of the disk.

Now boot into Windows and convert to GPT using gptgen

When you then boot into the Windows installation / recovery media, you’ll be asked for the Bitlocker Recovery Key. After that, the rest of the steps are as in the generic instructions.

When booting into Windows (assuming you changed your BIOS to boot (U)EFI instead of MBR now), you’ll be asked for the recovery key again.

In my case, the drive didn’t show suspended. I suspended it again.

After that, resuming Bitlocker encryption will fail with “The System cannot find the file specified”.

Open Explorer, navigate to C:\Windows\System32\Recovery and rename the file “ReAgent.xml” to “ReAgent.xml.old”

Resume Bitlocker encryption on drive C:\ This should now succeed.

Reboot for good measure to verify that everything works and you don’t get prompted for the recovery key any more.

The admin user on JunOS SPACE, which is used for ssh / root access, has a default password expiry of 70 days. This may not be desired.

NB: An upgrade of the JunOS SPACE platform will set the admin password expiry to the default of 70 days again. To avoid the admin user password being prompted for change after the upgrade, this procedure needs to become part of your documented upgrade procedure for JunOS SPACE:

Change admin user last password change to be today using chage

Upgrade SPACE

Change admin user expiry to “never” using chage

The Linux command “chage” will show you the current settings for a user and let’s you change those:

Log in as admin via ssh

Choose “(Debug) run shell”

Use “chage” to see and then change the admin password expiry:
chage -l admin
Last password change : Mar 15, 2016
Password expires : May 24, 2016
Password inactive : never
Account expires : never
Minimum number of days between password change : 7
Maximum number of days between password change : 70
Number of days of warning before password expires : 7

Change the parameters:

chage admin
Changing the aging information for admin
Enter the new value, or press ENTER for the default

chage -l admin
Last password change : Mar 25, 2016
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

Picture this: Bob, your JunOS SPACE administrator, left the company. IT diligently wiped his laptop. Bob was the only one who had the admin password (for ssh / CLI access) to your JunOS SPACE installation.

After vowing to do better in future and storing all infrastructure passwords in some form of centralized, encrypted, backed-up password safe, you are left with the task of restoring access.

If you are running your JunOS SPACE instance on an appliance, all you need is a USB stick and Juniper’s instructions. (Note: That may not be entirely true – see discussion of how /etc/shadow behaves in 14.1R2 of SPACE, below)

Power down the SPACE VM and change its boot properties to force boot into BIOS, and delay by 10,000ms for good measure, like so:

Power on the SPACE VM, and open a Console. You’ll find yourself in the BIOS shortly. Connect the virtual CD drive to the ISO you downloaded (that’s the CD-with-wrench icon in the Console) and change the BIOS to boot from CD first, like so:

Alternatively, you could have left the BIOS alone and hit ESC to get the boot menu during the 10 second boot delay.

Whichever option you choose, make sure the CD has finished connecting (loading the ISO) before you hit F10/Enter. If you are remote to your VMWare host, it may make sense to upload the ISO to the datastore first, and connect the virtual CD to that copy.

Once the VM has booted from the rescue ISO, I chose the “standard with US keymap” boot option for the rescue disk.

With this in hand, I could “vi /mnt/custom/etc/shadow” and insert the string for the new password, which looks like this:

Save that file using “:x!” in vi and you are ready to “reboot”

Note: Typing that string in the VMWare Console is going to be extremely error-prone. It makes sense to ssh to the rescue Linux instead, so you can copy/paste. Use “ifconfig” to see whether you received a DHCP address. If not, you’ll need to follow the instructions for the rescue image to enable networking – or manually type the password string.

If you changed the BIOS to boot from CDROM first, undo that change when the boot screen comes up.

After reboot, you should be able to log in as admin with the default password and use the option “1” to change the password:

Now that you’re back in the CLI, you can follow Juniper’s instructions for resetting the password for the ‘super’ user which is used for GUI access and the ‘maintenance’ user which is used for software updates.

With those three accounts restored, you have the access needed to administrate JunOS SPACE again – and set up further GUI authentication for users as desired.

In Extreme Networks’ Netsight management appliance, it is possible to configure external authentication (LDAP or RADIUS) and not set it to “fail to OS,” which is a checkbox that is unchecked by default. If your LDAP or RADIUS server is down, or if you made a mistake entering settings, you’ve just locked yourself out of the Web UI.

There is a way to recover from this without rebuilding Netsight.

I’ll be assuming you still have an OS-level login via ssh to the unit. These instructions assume Netsight on Linux. Netsight on Windows would be similar, you’d just have to figure out where your MySQL utilities live.

This was tested with Netsight 6.3

After logging in to the OS (an ssh session if this is Netsight on Linux), start mysql and connect to the data base:

[Edit 2016-12-01 … changed the VBA code to format the phone number with dashes]
[Edit 2016-11-07 … changed the VBA code to handle WebEx invites, too][Edit 2015-10-27 … changed the VBA code to be able to extract the phone number]

By default, the “Location” for a Skype for Business (ne Lync) Meeting in an Outlook calender invite reads as “Skype Meeting”. WebEx is no better. This is not very friendly to mobile users who want to dial in via phone. If the body of the meeting contains a lot of agenda text, the WebEx / Skype dialin information may not display at all on mobile; and without something in the “Location”, a user can’t just tap the invite to dial in directly.

I wanted to have a Macro that lets me set the “Location” to “phone-number,,,conference-id#”. This way, the user can dial, and will be logged in automatically.
An alternative (you’d need to slightly modify the code by replacing “,,,” in the second line with ” ; “) would be “phone-number ; conference-id#” which makes the conference id available in the dial screen to be sent with one touch.

Further, I wanted to be able to control permissions through the Skype Meeting Options, which means I can’t use a “dedicated meeting space”, but have to use the “new meeting space” option, which means the conference ID changes with every meeting.

I want to hear when people enter or leave, I don’t want anyone to have to wait around in a lobby, and I conference with customers, so I don’t want restrictions as to who can join or present. The screenshot below shows the permissions I chose before hitting “Remember Settings”.

The macro I created can extract US phone numbers. If you have a need for international number detection, you’d need to key on the country code and then have individual patterns from there in a case structure. There’s no good way I know of to handle international number formats in a single regex.

In order to use the macro, you’ll need to:

– Enable access to the coding tools in Outlook, the “Developer” toolbar

– Create the macro

– Sign the macro and save

– Link the macro to the “New Appointment” screen

The macro was created for use with Outlook 2016, 2013 and 2010. The current version has only been tested with Outlook 2016.

Enable access to the coding tools in Outlook

From the Outlook main windows, click on “File” then “Options”

In the “Outlook Options” window, click on “Customize Ribbon” on the left. Check the “Developer” ribbon to show up.

Click OK

Create the macro

From the Outlook main window, click the “Developer” toolbar, then the “Visual Basic” icon

Right-click the Project name in the left pane, choose “Properties…” and set the “Project Name” to “Conf”, then click OK.

Under “Modules”, you should see a “Module 1” with an empty window to the right. Click it and paste the code below.

<Edit> Now with code formatting that will paste correctly.

Sub AddLocation()
Application.ActiveInspector.CurrentItem.Location = GetConfNumUsingRegEx() & ",,," & GetConfCodeUsingRegEx() & "#"
End Sub
Function GetConfNumUsingRegEx() As String
' Set reference to VB Script library
' Microsoft VBScript Regular Expressions 5.5
Dim olAppt As Outlook.AppointmentItem
Dim Reg1 As RegExp
Dim M1 As MatchCollection
Dim M As Match
Dim fNumber As String ' Formatted phone number
Set olAppt = Application.ActiveInspector.CurrentItem
' Debug.Print olAppt.Body
Set Reg1 = New RegExp
For i = 1 To 2 ' Run through twice in case this hasn't been saved and WebEx info isn't there yet
With Reg1 ' look for the bizarre CI number we use, and prefer it if it's there
.Pattern = "tel:\+1855-SkypeCI"
.Global = True
End With
If Reg1.test(olAppt.Body) Then
GetConfNumUsingRegEx = "+1-855-759-7324"
Exit Function
End If
' You can copy / paste code from "With Reg1" to "End If" any number of times if there are
' additional preferred numbers / oddly formatted numbers you want to be on the lookout for
With Reg1 ' look for tel: style links, US numbers being matched
.Pattern = "tel\s*[:]+\s*((?:\+?(\d{1,3}))?[-. (]*(\d{3})[-. )]*(\d{3})[-. ]*(\d{4})(?: *(?:ext\.|ext|x)?\s*(\d+))?)\w*"
.Global = True
End With
If Reg1.test(olAppt.Body) Then
Set M1 = Reg1.Execute(olAppt.Body)
For Each M In M1 ' Find preferred toll-free number
If (Found = False) And ((M.SubMatches(2) = "800") Or (M.SubMatches(2) = "844") Or (M.SubMatches(2) = "855") Or (M.SubMatches(2) = "866") Or (M.SubMatches(2) = "877") Or (M.SubMatches(2) = "888")) Then
Found = True
GetConfNumUsingRegEx = FormatPhoneNumber(M.SubMatches(0))
Exit Function
End If
Next
' No preferred number, use the first one
Set M = M1(0)
GetConfNumUsingRegEx = FormatPhoneNumber(M.SubMatches(0))
Exit Function
End If
With Reg1 ' sometimes tel: is missing, again US numbers being matched
.Pattern = "((?:\+?(\d{1,3}))?[-. (]*(\d{3})[-. )]*(\d{3})[-. ]*(\d{4})(?: *(?:ext\.|ext|x)?\s*(\d+))?)\w*"
.Global = True
End With
If Reg1.test(olAppt.Body) Then
Set M1 = Reg1.Execute(olAppt.Body)
For Each M In M1 ' Find preferred number
If (Found = False) And ((M.SubMatches(2) = "800") Or (M.SubMatches(2) = "844") Or (M.SubMatches(2) = "855") Or (M.SubMatches(2) = "866") Or (M.SubMatches(2) = "877") Or (M.SubMatches(2) = "888")) Then
Found = True
GetConfNumUsingRegEx = FormatPhoneNumber(M.SubMatches(0))
Exit Function
End If
Next
' No preferred number, use the first one
Set M = M1(0)
GetConfNumUsingRegEx = FormatPhoneNumber(M.SubMatches(0))
Exit Function
End If
olAppt.Save ' This will fill in WebEx info with WebEx Productivity Tools running and try again
Next i
End Function
Function GetConfCodeUsingRegEx() As String
' Set reference to VB Script library
' Microsoft VBScript Regular Expressions 5.5
Dim olAppt As Outlook.AppointmentItem
Dim Reg1 As RegExp
Dim M1 As MatchCollection
Dim M As Match
Set olAppt = Application.ActiveInspector.CurrentItem
' Debug.Print olAppt.Body
Set Reg1 = New RegExp
With Reg1 ' look for Skype/Lync pattern
.Pattern = "Conference ID\s*[:]+\s*(\d*)\s*"
.Global = True
End With
If Reg1.test(olAppt.Body) Then
Set M1 = Reg1.Execute(olAppt.Body)
Set M = M1(0)
GetConfCodeUsingRegEx = M.SubMatches(0)
Exit Function
End If
With Reg1 ' look for WebEx public or private room pattern
.Pattern = "[Aa]ccess code\)?\s*[:]+\s*(\d*\s?\d*\s?\d*)"
.Global = True
End With
If Reg1.test(olAppt.Body) Then
Set M1 = Reg1.Execute(olAppt.Body)
Set M = M1(0)
GetConfCodeUsingRegEx = Replace(M.SubMatches(0), " ", "") ' strip all spaces
Exit Function
End If
End Function
Function FormatPhoneNumber(sRawNumber As String)
'Purpose: Formats a US telephone number as 999-999-9999,,,165.
'Works with x, ext, ext. or just space before extension
'Works with or without 1-number or +1-number
'Works with or without spaces, dashes or parentheses between and around number groups
'Does NOT deal with international numbers
Dim sPhoneNumber As String 'Phone number formatted as 999-999-9999
Dim Reg1 As RegExp
Dim M1 As MatchCollection
Dim M As Match
Set Reg1 = New RegExp
With Reg1 ' US numbers being matched
.Pattern = "((?:\+?(\d{1,3}))?[-. (]*(\d{3})[-. )]*(\d{3})[-. ]*(\d{4})(?: *(?:ext\.|ext|x)?\s*(\d+))?)\w*"
.Global = True
End With
If Reg1.test(sRawNumber) Then
Set M1 = Reg1.Execute(sRawNumber)
Set M = M1(0)
If Not Len(M.SubMatches(1)) = 0 Then ' Starting with a code like "1"
sPhoneNumber = M.SubMatches(1) & "-" & M.SubMatches(2) & "-" & M.SubMatches(3) & "-" & M.SubMatches(4)
Else
sPhoneNumber = M.SubMatches(2) & "-" & M.SubMatches(3) & "-" & M.SubMatches(4)
End If
If Not Len(M.SubMatches(5)) = 0 Then ' Found an extension
sPhoneNumber = sPhoneNumber & ",,," & M.SubMatches(5)
End If
End If
'Return formatted phone number
FormatPhoneNumber = sPhoneNumber
End Function

This code should work as-is. If desired, you can hard-code a number to be used for your own invites inside the GetConfNumUsingRegex() function.

In the Visual Basic editor, click the “Tools” menu, then “References…” and check the “Microsoft VBScript Regular Expressions 5.5”, then click “OK”. This is required for the macro to function.

Here is a screen shot of the VBA editor for reference:

Sign the macro and save

Outlook 2010, by default, has a macro security setting of “Notifications for digitally signed macros, all other macros disabled”. Without signing the macro, it may work the first time around, but you might get an error message that “the macros in this project are disabled” in future.

We’ll create a self-signed cert and apply it. For Outlook 2010 and 2013, look for the “Digital Certificate for VBA Projects” application in the Start menu, give it your name, and click “OK” to create the certificate, like so:

N.B.: Your installation of Office might not have linked this utility in the Start Menu. My O365 copy of Office 2016 does not, for example. In that case, open File Explorer, navigate to where Office is installed (C:\Program Files (x86)\Microsoft Office\Office16 is the default path for Office 2016), and launch the “SELFCERT.EXE” program.

Next, apply this certificate to your project. In the VBA editor, choose the “Tools” menu then “Digital Signature…” and apply the certificate you just created by selecting it via “Choose…” then clicking “OK”:

Lastly, save your Project via “File” and “Save VbaProject.OTM”.

When that is done, you can close the VBA editor screen either via the X in the corner or through the “File” menu.

At some point when first executing the macro, you may see a warning whether to trust the certificate you just created. Choose “Enable Macros” or “Trust all documents from this publisher” :

Link the macro to the “New Appointment” screen

This was actually the least intuitive step of the whole lot.

In Outlook, click on “Calendar”, then “New Meeting”. As far as I can tell, you can only add the macro to the ribbon while in that window.

With that new meeting window open, click “File”, then “Options”.

Click on “Customize Ribbon”

Right-click “Appointment” and choose “Add New Group”

Right-Click the “New Group (Custom)” and rename it to “Conf”

Select “Conf (Custom)” and use the up-arrow to the right to move it just under “Skype Meeting” or “WebEx”, depending on which you use.

With “Conf (Custom)” still selected, change “Choose commands from:” on the left-hand list to “Macros”

Click on the “Conf.AddLocation” macro and use the “Add>>” button

The macro should now show up in your “Conf (Custom)” group.

Click OK and test the macro!

Screenshot of what this ribbon option window looks like below.

All Done

This is a fair serious amount of effort just to get a phone number into the “Location” field. For me, it was worth it because that effort makes life easier for my customers joining my meetings.